Clickonce encrypting connection strings question
-
I have a Clickonce .NET 2.0 winforms application located on a network share within our company intranet. I'm trying avoid having to deal with other departmens in setting up an AD group, managing users etc. because it is too much of a hassle eventhough I would love to use the integrated windows security... As far as I can tell the only other solution is to create a SQL server user with appropriate permissions on the database my program is connecting to and have my program use that SQL server user account to access the database but if I do that the connection string will be just plain text anyone can read... unless it is encrypted. Placing the connection string within the code is not acceptable since with the .NET code it would be easily accessible using MSIL or Reflector. Placing the conneciton string within the app.config file and encrypting it (http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx[Securing Connection Strings]) seemed like a good idea but it turns out the connection string must be encrypted/decrypted by the computer that will be running the program (The connection string can only be decrypted on the computer on which it was encrypted.) so it looks like the connection string would have to sit unencrypted on the network share and than my program would encrypt it during installation... having an unencrypted conneciton string on a network share that must be available to eveyrone to read from in order to support the Clickonce deployment doesn't sound like a good idea to me... Anyway, does anyone know a good solution for this problem other than using integrated securtiy and having to deal with a 72 hour turnaround for any changes to the AD group? TIA
-
I have a Clickonce .NET 2.0 winforms application located on a network share within our company intranet. I'm trying avoid having to deal with other departmens in setting up an AD group, managing users etc. because it is too much of a hassle eventhough I would love to use the integrated windows security... As far as I can tell the only other solution is to create a SQL server user with appropriate permissions on the database my program is connecting to and have my program use that SQL server user account to access the database but if I do that the connection string will be just plain text anyone can read... unless it is encrypted. Placing the connection string within the code is not acceptable since with the .NET code it would be easily accessible using MSIL or Reflector. Placing the conneciton string within the app.config file and encrypting it (http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx[Securing Connection Strings]) seemed like a good idea but it turns out the connection string must be encrypted/decrypted by the computer that will be running the program (The connection string can only be decrypted on the computer on which it was encrypted.) so it looks like the connection string would have to sit unencrypted on the network share and than my program would encrypt it during installation... having an unencrypted conneciton string on a network share that must be available to eveyrone to read from in order to support the Clickonce deployment doesn't sound like a good idea to me... Anyway, does anyone know a good solution for this problem other than using integrated securtiy and having to deal with a 72 hour turnaround for any changes to the AD group? TIA
It's not necessary that you use the connectionstring element in web.config. You can define your own element and encrypt it yourself using the .NET encryption classes. You could perhaps store the decryption key in a shared location.
-
It's not necessary that you use the connectionstring element in web.config. You can define your own element and encrypt it yourself using the .NET encryption classes. You could perhaps store the decryption key in a shared location.
-
Hi there, Thanks for your reply but as I mentioned in the first sentence of my question I'm dealing with a winforms application deployed with Clickonce and app.config, not web.config file...
My answer still applies. You can still encrypt the connection string in app.config using your own key. You just need to use a Public key cryptography algorithm.
-
My answer still applies. You can still encrypt the connection string in app.config using your own key. You just need to use a Public key cryptography algorithm.